Users login

Create an account »


Users login

Home » Hacking News » Java HTTP proxy vulnerability

Java HTTP proxy vulnerability

by Nikola Strahija on March 5th, 2002 The Java security model is designed to allow code from an untrusted source, usually web applets, to be safely executed.

Reference wal-01
Version 1.0
Date March 05, 2002

===Cross references

Sun Security Bulletin #00216
Microsoft Security Bulletin MS02-013

Vulnerability identifier CAN-2002-0058 (under review)


Java, networking, HTTP
Web browsers, applets
Unchecked network access, HTTP proxy connection hijacking

===Abstract problem description

The Java security model is designed to allow code from an untrusted
source, usually web applets, to be safely executed.

An applet could do irregular, unchecked HTTP requests.

Network access restrictions that apply, can be bypassed.
Only systems that have a HTTP proxy configured can be vulnerable.

One particular nasty exploit is where a remote server, aided by a
hostile applet, hijacks a browsers persistent HTTP connection to its
configured HTTP proxy.

===Affected software & patch availability; vendor bulletins


Bulletin Number: #00216
Date: March 4, 2002
Title: HttpURLConnection
(At the time of this writing bulletin 216 was not available on
the website yet.)


Microsoft Security Bulletin MS02-013
Java Applet Can Redirect Browser Traffic
Originally posted: March 04, 2002
(URL is wrapped, please fix.)

Sun JVM (Java Virtual Machine) Issue

===Vendor contact
Shortly after I, more or less by coincidence, discovered the issue, I
reported it to Sun on April 07, 2001. They communicated it to their
Java licensees, and coordinated a synchronized response.

=Free Java implementations
I audited both Kaffe and GNU Classpath class libraries, and to the
best of my knowledge, they are not vulnerable to this issue. Anyone
out there developing a free(TM) Java, please contact me if you have
questions or concerns, and I will be happy to assist you in any way I

===Disclosure policy
I do not plan to release details of the vulnerability, that could make
it easier for crackers to get exploits, before a three month grace
period has expired. Customers should not to assume that the lack of
vulnerability details at this time will prevent the creation of
exploit programs.

===Detailed problem description
No details are provided at this time.
See Disclosure policy.

I supplied Sun with a PoC-exploit, and they passed it on to other
vendors. No further distribution is expected.

===Software I tested/audited myself.
Sun/Blackdown 1.1.7/8, 1.2.2, 1.3.0/1 linux/win32
Netscape 4.61 default Java Runtime linux
MSIE 5.0 default Java Runtime win32
HotJava Browser 3.0
Kaffe 1.06
GNU Classpath 0.03

Thanks to the vendors for addressing the issue. Special thanks to
Sun, in particular Chok Poh, for coordinating.

===Disclaimer & Copying
Copying in whole and quoting parts permitted.

Version 1.0 is the first release of this document.

Author Harmen van der Wal
Mail [email protected]


Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see


Harmen van der Wal -

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »